Some thoughts on our passwords

As our lives slowly transform into the clouds, we have to make sure that our passwords are increasingly stronger as well. It is established that perfect passwords need to be complex, unique and memorable – the problem is that it's impossible to fulfil all three requirements at the same time. First you can read a bit of intro on passwords and their place in our world, and on the second page I'll show you a trick to create the perfect password (?)... well, one which ticks the three above criteria at least.

Passwords

We are putting more and more of our data in the online clouds: our pics, music, thoughts, conversations, video games, shopping lists, bank details, everything really. Even plugging an external hard drive or a mobile phone into the computer feels like a hassle these days, at least for me. This, in turn makes our data pretty damn vulnerable. It's simple, but we often forget that our data doesn't sit with us physically anymore, but instead, it lives on remote servers somewhere out there in the world. That's why passwords and authentication these days need a bit more care – they are guarding a way bigger chunk of our lives than they did a couple of years ago.

Edward Snowden was talking about passwords a couple of weeks ago with John Oliver. I don't think there are a lot of better people out there to talk about passwords and security than an ex-SysAdmin for the CIA and the DIA who ended up turning the world upside down – and of course those two guys together are hilarious too, so if you got 3 mins, do watch the video below. Snowden makes a point about dictionaries, long passwords with mixed-case letters, numbers and symbols in them, and finally walks the walk too, coming up with a pretty cool password himself at the end to the delight of Oliver. Not.

Now as amazing as "margaretthatcheris110%SEXY" is (after all, it would take an ordinary pc around 88 nonillion years to crack it), it doesn't solve one of the fundamental issues of our online presence. That is, if our password gets stolen from somewhere, we are in deep trouble. These days, as our passwords protect more and more of our personal and professional lives, big companies are attacked on a daily basis for our valuable information – and even though 99% of these attacks are unsuccessful, we are getting in trouble more and more often just because of the sheer number of the attacks. Just to name a few security breaches of late: LinkedIn, Twitter, Adobe, Yahoo, Kickstarter, Forbes, and of course, the list goes on and on. It's important to mention that our passwords can also be stolen from us too with fancy things, like keyloggers, not so fancy things, like looking over the shoulders, and extremely fancy things, like breakups too (right, guys?). This means that even if you're using the most uncrackable "margaretthatcheris110%SEXY" everywhere, if someone can somehow get their hands on it, you are in deep trouble.

Disturbingly, 80% of people said they were reusing their password.

Lorrie Faith Cranor: What’s wrong with your pa$$w0rd?

So what do most people do to stay safe in case their passwords got stolen? According to a recent study at Carnegie Mellon University, well, 80% of the people don't do anything. They reuse the same password over and over again, everywhere. Ouch. A further 17% of the people play it smarter: they write their passwords down. Even though it sounds like a terrible idea at first, it's actually still better than using the same password over and over again. I have a friend who has a word doc filled with pictures of random food recipes and illustrations – but under the pictures, if you pulled them to the side or deleted them, you'd get to all the juicy stuff. Smart, right? It definitely is, until you lose the one unified document or book containing all your info. Or worse, if it gets straight into the wrong hands... because then you really are screwed. That's the problem I see with password managers as well: if you lose them or someone gains access to them, it's straight up DEFCON 1.


Basically in an ideal world, your passwords need three properties to do the job well enough and keep you safe:

  1. Complex: to make them resistant to brute force.
  2. Unique: different passwords to make sure that if you lose one, you're still okay everywhere else.
  3. Memorable: what are they worth if you forget them, right?

So far creating the perfect password has been thought to be impossible, as, according to theory, you will definitely end up breaking at least one of the above criteria. For example if you create complex passwords which are unique everywhere, you will end up forgetting them. If you come up with a complex password which you will remember for sure, it means that you're not using different, unique passwords everywhere. Tough cookies, right? Well maybe not completely, if you use the trick below.

Passwords

Here is a trick that could save you a bit of the hassle, generating unique passwords without having to remember more of them than your fingers. In fact, all you need to remember is one single password. To make it different each and every time though, we'll use the name of the website or service we are using them on to create different passwords each time. For our example, let's go with the simple password Batman#422 to begin with.

Batman#422
Our basic fireplace password.

The idea is to use the name of the service or site we are using the password on (from now on I'll refer to this as source) to spicy it up differently every time. For a start, let's say we take the first letter from the left of the source every time, and insert it as the first letter from the left into our password. This means that on Amazon we'd take A, on Twitter we'd take T, on Facebook we'd take F, and would simply put these letters in front of our basic password.

ABatman#422
Our password on Amazon.

This is already pretty cool, and it means we have a different password each and every time, while having to remember only one. If we go one step further, we can solve another issue. Edward Snowden in his interview on the previous page was talking about dictionaries hackers are using to brute-force their way through passwords. And let's face it, any decent dictionary would have Batman in it, as well as "Bat", and "man", separately. To overcome this, we only need to insert two letters from the source into our password instead of one. Let's say we always take the second letter from the left from the source, put it in as the second letter from the left into Batman, then take the second letter from the right, and put in as the second letter from the right into Batman.

Bmatmaon#422
Our dictionary-safe, always different password on Amazon.

Bwatmaen#422
The same thing on Twitter.

Bnatmaan#422
And finally on Instagram.

Bmatmaon#422, Bwatmaen#422 and Bnatmaan#422 look and feel pretty random, they are not in any dictionary, and are always going to be different depending on which site you are using them on (plus you can always choose a more complicated base password of course). Also, if you're paranoid, you can tweak this further by swapping the letters around or going with the next or the previous letter in the alphabet, so instead of the "m" of Amazon you could write an "n" for example. This of course requires a bit of thinking every time, but it gets quicker the more you use it. It also can be a lot of a bit of fun, when you have no idea what password you used for a service back then, you assemble this, and presto, it just works: I had this experience at Riot not too long ago with our Adobe Cloud services. Felt great!

Don't forget though that everything and anything can be hacked, cracked and broken into, it just depends on how much time, energy, and/or money someone is willing to spend to do it. Still, using the method above you'll make sure your passwords are both complex, memorable and unique, which, in theory at least, makes them pretty strong. At least until you don't end up trading them for a bar of chocolate.

Related material:


Disclaimer: the articles on this website solely represent my personal views, opinion, ideas, etc., and although they might be similar in nature, concept or vision, they do not, under any circumstances represent the views or opinion of Riot Games, Just Another, Managerzone, or any other person, firm, or entity. Click here for more info.